From owner-p4-projects@FreeBSD.ORG Sun Nov 16 10:11:22 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 2D31A16A4D0; Sun, 16 Nov 2003 10:11:22 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D96AC16A4CE for ; Sun, 16 Nov 2003 10:11:21 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DEC643FBF for ; Sun, 16 Nov 2003 10:11:21 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id hAGIBLXJ003562 for ; Sun, 16 Nov 2003 10:11:21 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.9/8.12.9/Submit) id hAGIBKJX003559 for perforce@freebsd.org; Sun, 16 Nov 2003 10:11:20 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Sun, 16 Nov 2003 10:11:20 -0800 (PST) Message-Id: <200311161811.hAGIBKJX003559@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Subject: PERFORCE change 42559 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2003 18:11:22 -0000 http://perforce.freebsd.org/chv.cgi?CH=42559 Change 42559 by rwatson@rwatson_tislabs on 2003/11/16 10:10:34 Implement support for mac_set_fd() for sockets, allowing MAC-aware programs to treat sockets in the same manner as pipes, fifos, and vnodes. To do this, abstract check/set logic for socket labels from mac_setsockopt_label() into mac_socket_label_set() congruent to mac_pipe_label_set(). Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#435 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#17 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#17 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#435 (text+ko) ==== @@ -920,6 +920,7 @@ { struct label *intlabel; struct pipe *pipe; + struct socket *so; struct file *fp; struct mount *mp; struct vnode *vp; @@ -984,6 +985,21 @@ mac_pipe_label_free(intlabel); break; + case DTYPE_SOCKET: + intlabel = mac_socket_label_alloc(M_WAITOK); + error = mac_internalize_socket_label(intlabel, buffer); + if (error == 0) { + so = fp->f_data; + mtx_lock(&Giant); /* Sockets */ + /* XXX: Socket lock here. */ + error = mac_socket_label_set(td->td_ucred, so, + intlabel); + /* XXX: Socket unlock here. */ + mtx_unlock(&Giant); /* Sockets */ + } + mac_socket_label_free(intlabel); + break; + default: error = EINVAL; } ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#17 (text+ko) ==== @@ -119,6 +119,8 @@ char *outbuf, size_t outbuflen); int mac_internalize_pipe_label(struct label *label, char *string); +int mac_socket_label_set(struct ucred *cred, struct socket *so, + struct label *label); void mac_copy_socket_label(struct label *src, struct label *dest); int mac_externalize_socket_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#17 (text+ko) ==== @@ -994,6 +994,30 @@ } int +mac_socket_label_set(struct ucred *cred, struct socket *so, + struct label *label) +{ + int error; + + error = mac_check_socket_relabel(cred, so, label); + if (error) + return (error); + + mac_relabel_socket(cred, so, label); + + /* + * If the protocol has expressed interest in socket layer changes, + * such as if it needs to propagate changes to a cached pcb + * label from the socket, notify it of the label change while + * holding the socket lock. + */ + if (so->so_proto->pr_usrreqs->pru_sosetlabel != NULL) + (so->so_proto->pr_usrreqs->pru_sosetlabel)(so); + + return (0); +} + +int mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) { struct label *intlabel; @@ -1014,32 +1038,15 @@ intlabel = mac_socket_label_alloc(M_WAITOK); error = mac_internalize_socket_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_socket_label_free(intlabel); - return (error); - } + if (error) + goto out; - /* XXX: Will eventually grab a socket lock here. */ - mac_check_socket_relabel(cred, so, intlabel); - if (error) { - mac_socket_label_free(intlabel); - return (error); - } - - mac_relabel_socket(cred, so, intlabel); - - /* - * If the protocol has expressed interest in socket layer changes, - * such as if it needs to propagate changes to a cached pcb - * label from the socket, notify it of the label change while - * holding the socket lock. - */ - if (so->so_proto->pr_usrreqs->pru_sosetlabel != NULL) - (so->so_proto->pr_usrreqs->pru_sosetlabel)(so); - /* XXX: Will eventually release a socket lock here. */ - + /* XXX: Socket lock here. */ + error = mac_socket_label_set(cred, so, intlabel); + /* XXX: Socket unlock here. */ +out: mac_socket_label_free(intlabel); - return (0); + return (error); } int